Opkssh使SSH輕鬆使用單登錄技術

Opkssh使得使用OpenID Connect（例如OpenID Connect）的單個登錄技術很容易，從而消除了手動管理和配置SSH鍵的需求。

OPKSSH is a project that makes it easy to SSH with single sign-on (SSO) technologies like OpenID Connect (OIDC), removing the need to manually manage and configure SSH keys. It does this without adding a trusted party other than your identity provider (IdP). We are excited to announce that OPKSSH has been open-sourced under the umbrella of the OpenPubkey project. While the underlying protocol OpenPubkey became an open source Linux foundation project in 2023, OPKSSH was closed source and owned by BastionZero (now Cloudflare). Cloudflare has gifted this code to the OpenPubkey project, making it open source.

Opkssh是一個項目，可以輕鬆使用OpenID Connect（OIDC）（OIDC）等單個登錄（SSO）技術，從而消除了手動管理和配置SSH鍵的需求。它在不添加您的身份提供商（IDP）以外的其他人的情況下執行此操作。我們很高興地宣布，Opkssh已在OpenPubkey項目的保護下開源。儘管基礎協議OpenPubkey於2023年成為開源Linux基金會項目，但Opkssh封閉了源，並由Bastionzero（現為Cloudflare）擁有。 Cloudflare將此代碼贈予了OpenPubkey項目，使其成為開源。

In this post, we describe what OPKSSH is, how it simplifies SSH management, and what OPKSSH being open source means for you.

在這篇文章中，我們描述了opkssh是什麼，它如何簡化SSH管理以及開源對您意味著什麼。

Background

背景

A cornerstone of modern access control is single sign-on (SSO), where a user authenticates to an identity provider (IdP), and in response the IdP issues the user a token. The user can present this token to prove their identity, such as "Google says I am Alice". SSO is the rare security technology that both increases convenience - users only need to sign in once to get access to many different systems - and increases security.

現代訪問控制的基石是單登錄（SSO），用戶對身份提供商（IDP）進行身份驗證，並且在響應中，IDP會向用戶a令牌發出。用戶可以提出這個令牌以證明其身份，例如“ Google Say I Amice”。 SSO是兩者都可以提高便利性的罕見安全技術 - 用戶只需要一次登錄即可訪問許多不同的系統，並提高了安全性。

OpenID Connect

OpenID連接

OpenID Connect (OIDC) is the main protocol used for SSO. As shown below, in OIDC the IdP, called an OpenID Provider (OP), issues the user an ID Token which contains identity claims about the user, such as "email is alice@example.com". These claims are digitally signed by the OP, so anyone who receives the ID Token can check that it really was issued by the OP.

OpenID Connect（OIDC）是用於SSO的主要協議。如下所示，在OIDC中，IDP稱為OpenID提供商（OP），向用戶發出ID令牌，其中包含有關用戶的身份聲明，例如“電子郵件為alice@example.com”。這些主張是由OP數字簽署的，因此任何收到ID令牌的人都可以檢查它是否確實是由OP發出的。

Unfortunately, while ID Tokens do include identity claims like name, organization, and email address, they do not include the user's public key. This prevents them from being used to directly secure protocols like SSH or End-to-End Encrypted messaging.

不幸的是，儘管ID令牌確實包括名稱，組織和電子郵件地址等身份聲明，但它們不包括用戶的公鑰。這樣可以防止它們被用於直接保護SSH或端到端加密消息傳遞等協議。

Note that throughout this post we use the term OpenID Provider (OP) rather than IdP, as OP specifies the exact type of IdP we are using, i.e., an OpenID IdP. We use Google as an example OP, but OpenID Connect works with Google, Azure, Okta, etc.

請注意，在本文中，我們使用術語OpenID提供商（OP）而不是IDP，因為OP指定了我們正在使用的IDP的確切類型，即OpenID IDP。我們使用Google作為示例OP，但是OpenID Connect與Google，Azure，Okta等一起使用。

Figure 1: Shows a user Alice signing in to Google using OpenID Connect and receiving an ID Token

圖1：顯示一個用戶愛麗絲使用OpenID Connect並接收ID令牌的用戶登錄到Google

OpenPubkey

OpenPubkey, shown below, adds public keys to ID Tokens. This enables ID Tokens to be used like certificates, e.g. "Google says alice@example.com is using public key 0x123." We call an ID token that contains a public key a PK Token. The beauty of OpenPubkey is that, unlike other approaches, OpenPubkey does not require any changes to existing SSO protocols and supports any OpenID Connect compliant OP.

如下所示，OpenPubkey為ID令牌添加了公共密鑰。例如，它可以像證書一樣使用ID令牌，例如“ Google說alice@example.com正在使用公共密鑰0x123”。我們將包含公共密鑰的ID令牌稱為PK令牌。 OpenPubkey的優點在於，與其他方法不同，OpenPubkey不需要對現有SSO協議進行任何更改，並支持任何符合OpenID Connectiant OP。

Figure 2: Shows a user Alice signing in to Google using OpenID Connect/OpenPubkey and then producing a PK Token

圖2：顯示了用戶使用OpenID Connect/OpenPubkey登錄Google的用戶，然後產生PK令牌

While OpenPubkey enables ID Tokens to be used as certificates, OPKSSH extends this functionality so that these ID Tokens can be used as SSH keys in the SSH protocol. This adds SSO authentication to SSH without requiring changes to the SSH protocol.

雖然OpenPubKey使ID令牌可以用作證書，但Opkssh擴展了此功能，因此可以將這些ID令牌用作SSH協議中的SSH鍵。這將SSO身份驗證添加到SSH，而無需更改SSH協議。

Why this matters

為什麼這很重要

OPKSSH frees users and administrators from the need to manage long-lived SSH keys, making SSH more secure and more convenient.

Opkssh釋放了用戶和管理員需要管理長壽命SSH鍵的需要，從而使SSH更加安全，更方便。

"In many organizations - even very security-conscious organizations - there are many times more obsolete authorized keys than they have employees. Worse, authorized keys generally grant command-line shell access, which in itself is often considered privileged. We have found that in many organizations about 10% of the authorized keys grant root or administrator access. SSH keys never expire." - Challenges in Managing SSH Keys - and a Call for Solutions by Tatu Ylonen (Inventor of SSH)

“在許多組織中 - 甚至非常注重安全的組織 - 授權的鑰匙都比員工多得多。更糟糕的是，授權密鑰通常會授予命令行的殼牌訪問權限，這本身通常被認為是特權的。我們發現，在許多組織中，大約10％的授權鑰匙贈款贈款根源root Organtor Organtor Or訪問者訪問。SSH鍵。 - 管理SSH鍵的挑戰 - 塔圖·Ylonen（SSH的發明者）呼籲解決方案

In SSH, users generate a long-lived SSH public key and SSH private key. To enable a user to access a server, the user or the administrator of that server configures that server to trust that user's public key. Users must protect the file containing their SSH private key. If the user loses this file, they are locked out. If they copy their SSH private key to multiple computers or backup the key, they increase the risk that the key will be compromised. When a private key is compromised or a user no longer needs access, the user or administrator must remove that public key from any servers it currently trusts. All of these problems create headaches for users and administrators.

在SSH中，用戶生成了長壽的SSH公共密鑰和SSH私鑰。為了使用戶能夠訪問服務器，該服務器的用戶或管理員將配置該服務器以信任該用戶的公鑰。用戶必須保護包含其SSH私鑰的文件。如果用戶丟失了此文件，則將其鎖定。如果他們將其SSH私鑰複製到多台計算機或備份密鑰，則會增加鑰匙會受到損害的風險。當私鑰被妥協或用戶不再需要訪問時，用戶或管理員必須從其當前信任的任何服務器中刪除該公共密鑰。所有這些問題都為用戶和管理員造成頭痛。

OPKSSH overcomes these issues:

Opkssh克服了這些問題：

Improved security: OPKSSH replaces long-lived SSH keys with ephemeral SSH keys that are created on-demand by OPKSSH and expire when they are no longer needed. This reduces the risk a private key is compromised, and limits the time period where an attacker can use a compromised private key. By default, these OPKSSH public keys expire every 24 hours, but the expiration

改進的安全性：Opkssh用ephemeral SSH鍵替換了長期的SSH鍵，這些鍵是由Opksss按需創建的，並在不再需要時到期。這降低了私鑰的風險被損害，並限制了攻擊者可以使用受損的私鑰的時間段。默認情況下，這些Opkssh公共鑰匙每24小時到期，但是到期